Voip security
Download as PPTX, PDFâĸ3 likesâĸ974 views
This document discusses security issues and solutions related to Voice over IP (VoIP) systems. It begins with an introduction to VoIP and how it works, describing the protocols used including SIP, H.323, MGCP and RTP. It then outlines various security attacks on VoIP systems such as eavesdropping, denial of service attacks, and masquerading. Finally, it discusses approaches to enhancing VoIP security, including using encryption, firewalls, authentication, and secure protocols like SRTP.
Voip security
- 1. voipSecurity Ridhvesh Shethwala â 15mcei27
- 2. Outlines īŧIntroduction īŧWhat is Voip.? īŧHow Voip works.? īŧProtocol used in Voip īŧSecurity attack on Voip system īŧHow we can prevent it.? īŧConclusion īŧReference
- 3. Network Features PSTN (Voice) VoIP (Voice) Switch Circuit Switched Packet Switched Connection Connection Oriented Connection Oriented Bit Rate Fixed and low<=64kb/s Standard Bit Rate Bursts Nonexistent Error tolerance User error control Self error Control Info resending Can not (real time) It Can Delay Must be low and stable Very Less Delay
- 4. What is voip.? īŧVoIP (Voice Over Internet Protocol) is an IP network based voice transmission technology, instead of the traditional analog telephone line, it allows people to make telephone calls through broadband internet connections. īŧIn other words, just installing network telephone software on the PCs at each end, people can talk through to each other through the IP network. īŧWith the development of network technology, network IP telephony grew from PC-PC to IP-PSTN, PSTN-IP, PSTN- PSTN and IP-IP, etc.
- 6. How Voip works.? īŧAnalog Signal īŧConverting Analog to Digital Signal īŧCompress īŧEncode īŧPacketization īŧTransmitted through IP Network īŧDecode īŧDecompress īŧConverting Digital to Analog Signal
- 9. RTP īŧReal-TimeTransport Protocol (RTP) is an internet standard protocol, used to transfer real time data, such as audio and video. It can be used for IP telephony. īŧRTP includes two parts: data and control.The control part is called RealTime Control Protocol (RTCP). īŧVoIP uses protocols such as real-time protocol (RTP) and H.323 to deliver packets over the internet. īŧIt provides support for real-time applications, includes timing reconstruction, loss detection, security and content identification.
- 10. RTP (Cont.) īŧRTP Header contains information of the payload, such as the source address, size, encoding type, etc. īŧTo transfer RTP packet on the network, we need to use User Datagram Protocol (UDP) to create a UDP header.To transfer UDP packet over IP network, we also need to create an IP header. RTP Data structure RTP Data in IP packet
- 11. RTP (Cont.) RTP FEATURES:- īŧTo provide end-to-end delivery service for real time data, such as audio and video. īŧRTP uses time stamps and sequence numbers to implement reliable delivery, flow control and congestion control. īŧRTP is only a protocol framework, it is open to new multimedia software. īŧRTP and RTCP provide functionalities to deliver real time data. RTP and RTCP arenât responsible for synchronization, or something like it which is the higher level task.
- 12. RTCP īŧRealTime Control Protocol carries control information, which is used to manage the QoS. īŧIt provides supports for applications such as real-time conference. īŧThe supports include source identification, multicast- to-unicast translator, and different media streams synchronization. īŧThere are five types of RTCP packets:- I. RR: Receive Report II. SR: Sender Report. III. SDES: Source Description Items. IV. BYE: used to indicate that participation is finished. V. APP: application specified functions.
- 13. H.323 īŧH.323 is a set of protocols for voice, video, and data conferencing over packet-based networks such as the Internet. īŧThe H.323 protocol stack is designed to operate above the transport layer of the underlying network. īŧH.323 can be used on top of any packet-based network transport like Ethernet,TCP/UDP/IP, ATM, and Frame Relay to provide real-time multimedia communication. H.323 uses the Internet Protocol (IP) for inter-network conferencing.
- 14. H.323 (cont.) Scope of H.323 īŧPoint-to-point and multipoint conferencing support: īŧInter-network interoperability: īŧHeterogeneous client capabilities īŧAudio and video codecs: īŧManagement and accounting support: īŧSecurity: īŧSupplementary services
- 16. H.323 (CONT.) īŧAuthentication under H.323 can be either symmetric encryption- based or subscription-based. īŧFor symmetric encryption-based authentication, prior contact between the communicating entities is not required because the protocol uses Diffie-Hellman key- exchange to generate a shared secret identity between the two entities. īŧWith reference to the H.235 recommendation, a subscription-based authentication requires a prior shared secret identity, and there are three variations of this: ī Password-based with symmetric encryption, ī Password-based with hashing, and ī Certificate-based with signatures
- 17. MGCP īŧMedia Gateway Control Protocol (MGCP) is a protocol used for controllingVoice over IP (VoIP) Gateways from external call control elements. īŧMGCP is the emerging protocol that is receiving wide interest from both the voice and data industries. īŧMGCP is a protocol for controlling media gateways from call agents. It superseded the Simple Gateway Control Protocol (SGCP) . īŧIn aVoIP system, MGCP can be used with SIP or H.323. SIP or H.323 will provide the call control functionality and MGCP can be used to manage media establishment in media gateways.
- 18. MGCP (cont.) īŧCharacteristics of MGCP: -- A master/slave protocol. -- Assumes limited intelligence at the edge (endpoints) and intelligence at the core (call agent). -- between call agents and media gateways. -- Differs from SIP and H.323 which are peer-to-peer protocols. -- Interoperates with SIP and H.323.
- 20. MGCP (cont.) īŧMGCP provides: ī Call preservationâcalls are maintained during failover and failback ī Dial plan simplificationâno dial peer configuration is required on the gateway ī Hook flash transfer ī Tone on hold ī MGCP supports encryption of voice traffic. ī MGCP supports Q Interface Signalling Protocol (QSIG) functionality.
- 21. SIP īŧThe Session Initiation Protocol is a text-based signaling communications protocol, which is used to creation, management and terminations of each session. īŧIt is responsible for smooth transmission of data packets over the network. It considers the request made by the user to make a call and then establishes connection between two or multiple users.When the call is complete, it destroys the session.
- 22. SIP (CONT.) īŧSIP can be used for two party (unicast) or multi party (multicast) sessions. It works in along with other application layer protocols that identify and carry the session media. īŧThe protocol itself provides reliability and does not depend onTCP for reliability. Also, it depends on the Session Description Protocol (SDP) which is responsible for the negotiation for the codec identification
- 24. SIP (CONT.) īŧSIP Messages:- ī REGISTER â Registers a user with a SIP server ī INVITE â Used to invite to participate in a Call session ī ACK â Acknowledge an INVITE request ī CANCEL â Cancel a pending request ī OPTIONS â Lists the information about the capabilities of the caller ī BYE âTerminates a connection
- 26. SIP (CONT.) īŧServices Provided by the SIP ī Locate User ī Session Establishment ī Session Setup Negotiation ī Modify Session ī Teardown/End Session
- 28. Security Aspectsin VoIP Server authentication: īŧSinceVoIP users typically communicate with each other through someVoIP infrastructure that involves servers (gatekeepers, multicast units, gateways), users need to know if they are talking with the proper server and/or with the correct service provider.This applies to both fixed and mobile users.
- 29. Security Aspectsin VoIP (cont.) Voice confidentiality īŧThis is realized through encryption of the voice packets and protects against eavesdropping. In general, the media packets of multimedia applications are encrypted as well as voice data. Advanced protection of media packets also includes authentication/integrity protection of the payloads.
- 30. Security Aspectsin VoIP (cont.) Call authorization: īŧThis is the decision-making process to determine if the user/terminal is actually permitted to use a service feature or a network resource (QoS, bandwidth, codec, etc.). Most often authentication and authorization functions are used together to make an access control decision. Authentication and authorization help to thwart attacks like masquerade, misuse and fraud, manipulation and denial-of-service.
- 31. Security Aspectsin VoIP (cont.) Key Management: ī This includes not only all tasks that are necessary for securely distributing keying material to users and servers, but also tasks like updating expired keys and replacing lost keys. Key management may be a separate task from theVoIP application (password provisioning) or may be integrated with signalling when security profiles with security capabilities are being dynamically negotiated and session-based keys are to be distributed.
- 32. Security Aspectsin VoIP (cont.) Masquerading: īŧA masquerade is the pretense of an entity to be another entity. Masquerading can lead to charging fraud, breach of privacy, and breach of integrity. This attack can be carried out by hijacking a link after authentication has been performed, or by eavesdropping and subsequent replaying of authentication information. Using a masquerade attack, an attacker can gain unauthorized access to VoIP services. An attacker can steal the identity of a real user and obtain access by masquerading as the real user.
- 33. Security Aspectsin VoIP (cont.) Eavesdropping: īŧEavesdropping attacks describe a method by which an attacker is able to monitor the entire signaling and/or data stream between two or moreVoIP endpoints, but cannot or does not alter the data itself.
- 34. Security Aspectsin VoIP (cont.) Interception and Modification: īŧThese classes of attacks describe a method by which an attacker can see the entire signaling and data stream between two endpoints, and can also modify the traffic as an intermediary in the conversation.
- 35. Security Aspectsin VoIP (cont.) Denial of Service: īŧA denial of service (DoS) attack is an attack that is conducted to deliberately cause loss of availability of a service. We identify DoS attacks at several levels; transport-level, server level, signaling level. īŧTransport level: An IP-level DoS attack may be carried out by flooding a target, e.g. by ping of death or Smurf attack. īŧServer level: Servers may be rendered unusable by modifying stored information in order to prevent authorized users from accessing the service.
- 36. Security Aspectsin VoIP (cont.) Misrepresentation: īŧThe term misrepresentation is generically used to mean false or misleading communication. Misrepresentation includes the delivery of information which is false as to the identity, authority or rights of another party or false as to the content of information communicated.
- 37. Security Solutionin VoIP īŧ Confidentiality: Confidentiality can be achieved by using different encryptions techniques, which provide user authentication. For ex: a hash record key with a shared secret is used between the parties to prevent malicious users from call monitoring. Such measures should be taken to get confidentiality. īŧIntegrity: To protect the source of data we use Integrity that provides user authentication. It is used for origin integrity, and without integrity control, any non-trusted system has the ability to modify the different contents without any notice.
- 38. Security Solutionin VoIP (cont.) HTTP Digest Authentication: īŧSIP uses HTTP Digest Authentication method to authenticate data, such as password. HTTP Digest authentication offers one-way message authentication and replay protection, but it doesnât protect message integrity and confidentiality. īŧBy transmitting an MD5 or SHA-1 digest of the secret password and a random challenge string, HTTP Digest can protect password. īŧAlthough HTTP digest authentication has the advantage that the identity of the user is encrypted, and transmitted in cipher text, but if the password is short or weak, by intercepting the hash value, the password can be decrypted easily.
- 39. Security Solutionin VoIP (cont.) S/MIME: (Secure/Multi-Purpose Internet Mail Extension) īŧ MIME bodies are inserted into SIP messages. MIME defines mechanisms for integrity protection and encryption of the MIME contents. īŧSIP can use S/MIME to enable mechanisms like public key distribution, authentication and integrity protection, confidentiality of SIP signaling data. S/MIME relies heavily on the certification of the end user. īŧMoreover self certification is vulnerable to man-in-the- middle attack, so either the certificates from known public certification authorities (CAs) or private CAs should be used, so the S/MIME mechanism is seriously limited.
- 40. Security Solutionin VoIP (cont.) Firewall īŧFirewalls are usually used to protect trusted network from un-trusted network. Firewalls usually work on IP andTCP/UDP layer, it determines what types of traffic is allowed and which system are allowed to communicate. Firewall doesnât monitor the application layer. Since SIP needs to open ports dynamically, this enhances the complexity of firewall, as the firewall must open and close ports dynamically.
- 41. Security Solutionin VoIP (cont.) Some OtherWaysTo Protect:- īŧTo prevent message alteration established secured communication channel between communicating parties.To prevent media alteration and degradation use SRTP protocol. īŧUse secured devices for communication and switching of voice as well as data. īŧUse Strong authentication and password at device level. īŧChange defaults passwords and enable SIP authentication. Use the devices which support SRTP cipher technique.
- 42. Security Solutionin VoIP (cont.) īŧUseVLAN with 802.1x in internet to split data and voice traffic. īŧDisableTelnet in the phone configuration, allow only to administrators.To avoid message tampering and voice pharming attack use encrypted transmitted data using encryption mechanisms like IPsec,TLS and S/MIME.
- 43. Security Solutionin VoIP (cont.) īŧ for a secure session inVOIP we should take following measures: ī Use and maintain anti-virus and anti-spyware programs. ī Do not open unknown attachments of mails which have unknown or fake IDs. ī Verify the authenticity and security of downloaded files and new software. Configure your web browser(s) properly by enabling/disabling the necessary cookies. ī Active firewall session in your network and always place your back-up securely. ī Create strong passwords and change them regularly and do not disclose such information publicly.
- 44. Conclusion īŧVoIP system is low cost and less configuration than PSTN Network.VoIP is EmergingTechnology and contain some loop hopes so there are some attacks can possible on it. As in futureVoIP Replace the PSTN system it need better security. Using some of Secure protocols like SRTP and some advance Encryption standards, using firewall, end-to-end encryption we can make it secure.
- 45. References īŧCisco, âOverview of the Session Initiation Protocolâ, September, (2002) īŧDavid Gurle, Olivier Hersent, âMediaGateway to Media Controller Protocolsâ,August,(2003). īŧ Rohit Dhamankar Intrusion Prevention: The Future ofVoIP Security White paper (2010) īŧ PorterT âThreats toVoIP CommunicationSystems, Syngress Force EmergingThreat Analysisâ ,pg. 3-25. (2006). īŧMark Collier,ChiefTechnologyOfficer Secure Logix Corporation, "BasicVulnerability Issues for SIP Security.pdfâ,1 March (2005). īŧVoIP Security and PrivacyThreat Taxonomy "Public Release 1.0 24 October 2005" (access 29 Jan 2012)